Skip to main content
Legal

Data Processing Agreement

Last updated: April 22, 2026

Need a signed Data Processing Agreement for your records?

Request DPA →

Overview

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the LukaGRC Terms of Service. It applies whenever LukaGRC ("Processor") processes Personal Data on behalf of Customer ("Controller") through the Service.

This DPA is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act / CPRA, and other applicable data-protection laws. In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to Personal Data processing.

A counter-signed copy of this DPA (and any requested Standard Contractual Clauses) is available free of charge to Customers on request at hello@lukagrc.com.

Processor Obligations

In addition to the specific commitments below, LukaGRC will:

  • Process Personal Data only on Customer's documented instructions, which include the Terms of Service, this DPA, and actions Customer takes through the Service configuration
  • Ensure that personnel authorized to process Personal Data are bound by appropriate written confidentiality obligations
  • Implement the Security Measures described below and at lukagrc.com/security
  • Not transfer Personal Data to a third country except in accordance with the Transfers section of this DPA
  • Engage sub-processors only under the conditions in the Sub-Processors section
  • Assist Customer in meeting its obligations under applicable data-protection laws, including Data Protection Impact Assessments (DPIAs) and prior-consultations with supervisory authorities, to the extent the information is available to us
  • Make available to Customer information necessary to demonstrate compliance with this DPA

Customer Obligations

Customer warrants and represents that:

  • It has established a valid legal basis under applicable law for each category of Personal Data it submits to the Service
  • It has obtained any necessary consents or provided any required notices to its data subjects
  • The instructions it gives LukaGRC (including through Service configuration) comply with applicable law
  • It will not submit Personal Data categories unnecessary to the compliance purposes for which the Service is provided (e.g., do not upload unrelated personally-sensitive data)

Definitions

  • Controller: The customer who determines the purposes and means of processing personal data
  • Processor: LukaGRC, which processes personal data on behalf of the Controller
  • Personal Data: Any information uploaded to LukaGRC that relates to an identified or identifiable individual
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion

Scope of Processing

LukaGRC processes personal data only as necessary to provide our services, including:

  • Account and user management
  • AI-powered document analysis and evidence mapping
  • Questionnaire automation
  • Vendor risk management
  • Platform support and troubleshooting

Data Subject Categories

Personal data may relate to:

  • Customer employees and authorized users
  • Third-party vendors and assessors
  • Individuals mentioned in compliance documentation

Types of Personal Data

  • Names and contact information
  • Employment details and job titles
  • IP addresses and system logs
  • Data contained in uploaded policies and documentation

Security Measures

LukaGRC implements the following technical and organizational measures. Capabilities marked (*) are enabled by default for all tenants; others are configurable per-tenant.

  • *AES-256 encryption at rest (AWS-managed keys for S3 and RDS)
  • *TLS 1.3 encryption in transit (HSTS preload, 2-year max-age)
  • *Logical multi-tenant isolation via mandatory tenant_id filter on every database query
  • *Password hashing with bcrypt (cost 14) and global pepper stored separately from the database
  • *Have I Been Pwned check on password create and change
  • Multi-factor authentication via TOTP and WebAuthn/passkeys (configurable per-tenant)
  • Enterprise Single Sign-On via AWS Cognito (Google, Microsoft, SAML IdPs)
  • IP allowlisting per-tenant (enforced at the auth middleware layer)
  • *Role-based access control with wildcard or fine-grained permissions
  • *Audit logging with SHA-256 hash-chain integrity on all security events
  • *Session cookies are HttpOnly, Secure, SameSite=Strict with a 24-hour lifetime
  • *Rate limiting (IP-based) on auth, registration, webhook ingest, and sensitive endpoints
  • *AI abuse guard with per-tenant burst limits, trial ceilings, and monthly hard caps to prevent runaway spend and abuse
  • *AWS WAF with AWS Managed Rules, SQLi, Known Bad Inputs, rate limiting, and scanner-IP blocklist
  • *Nginx security-headers snippet (HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP) on all responses
  • *Content Security Policy with per-request nonce
  • *Automated daily RDS backups with 7-day retention; manual snapshots before major changes
  • *CloudWatch alarms on CloudFront 5xx rate, request drops, RDS connections, and EC2 status
  • Personnel confidentiality obligations for all employees and contractors; background checks on employees with production access
  • Security patches applied on Dependabot's weekly review cadence, plus out-of-band for any HIGH/CRITICAL CVE
  • Secure Software Development Lifecycle (SSDLC) policy enforcing parameterized queries, input validation, threat modeling, and security review on all code changes

We do not guarantee any specific level of confidentiality, integrity, or availability beyond the Terms of Service commitments. See lukagrc.com/security for the current public security posture.

Sub-Processors

LukaGRC engages the following sub-processors, each bound by a data processing agreement and confidentiality obligations materially equivalent to this DPA:

Sub-Processor Purpose Location
Amazon Web Services (AWS), Inc. Cloud hosting, storage (S3, RDS), compute (EC2), CDN (CloudFront), DNS (Route 53), secrets management, messaging (SNS/SES) us-east-1 (N. Virginia, USA)
Anthropic, PBC (via AWS Bedrock) AI inference for GRC content generation, questionnaire auto-answer, evidence analysis. Operated inside our AWS account; prompts and responses are not used for model training per Anthropic's Commercial API terms. USA (AWS Bedrock regional endpoints)
Stripe, Inc. Subscription billing, payment processing, invoice hosting, automatic tax calculation (where enabled). Payment card data is collected and stored by Stripe directly; it does not transit our infrastructure. USA (SOC 1 / SOC 2 / PCI-DSS Level 1 certified)

We will provide at least thirty (30) days' advance notice via email before adding a new sub-processor or materially changing the scope of an existing one. If you reasonably object to a proposed sub-processor on data-protection grounds, we will work with you in good faith to resolve the concern or, if unresolved, you may terminate your subscription without penalty.

Data Subject Rights

LukaGRC will assist customers in responding to data subject requests including:

  • Access requests
  • Rectification requests
  • Erasure requests
  • Restriction of processing
  • Data portability

Customers can contact hello@lukagrc.com for assistance with data subject requests.

Data Breach Notification

In the event of a personal data breach, LukaGRC will:

  • Notify affected customers without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach
  • Provide available details of the breach, including the nature, categories and approximate number of data subjects and records affected
  • Describe the likely consequences and the measures we've taken (or propose to take) to address the breach and mitigate its effects
  • Assist customers in good faith with their own regulatory notification obligations (GDPR Article 33/34, state breach laws, etc.)
  • Provide a post-incident report within thirty (30) days of containment

International Data Transfers

LukaGRC processes Personal Data in the United States (AWS us-east-1, Northern Virginia). Where Customer is located in the EEA, UK, or another jurisdiction with cross-border data-transfer restrictions, the following safeguards apply:

  • The EU Standard Contractual Clauses (Module 2: Controller to Processor) adopted by the European Commission Decision (EU) 2021/914 of 4 June 2021 are incorporated into this DPA by reference. On signature of a DPA via hello@lukagrc.com, we make the fully completed SCCs available and counter-sign.
  • For UK transfers, the UK International Data Transfer Addendum to the EU SCCs (IDTA, March 2022) applies in addition.
  • For Swiss transfers, the Swiss-specific amendments to the EU SCCs apply.
  • Supplementary measures include: AES-256 encryption at rest, TLS 1.3 in transit, strict access controls, no routine government-access backdoors, sub-processor disclosure, and Transfer Impact Assessment documentation available on request.

Data Retention and Deletion

LukaGRC retains personal data only as long as necessary to provide services. Upon termination:

  • Customers have 30 days to export their data
  • LukaGRC will delete or anonymize personal data after the retention period
  • Some data may be retained for legal or compliance purposes

Audit Rights

Customers may request information about LukaGRC's compliance with this DPA, including:

  • SOC 2 Type II audit reports (when available)
  • Information about security measures
  • Details of sub-processors

Contact

For questions about this DPA or to request a signed copy:

Email: hello@lukagrc.com